Introduction: ISO 28000 and the Security of the Supply Chain
ISO 28000:2022, Security and resilience — Security management systems — Requirements, is the international standard that specifies the requirements for a security management system (SMS), including the aspects critical to the security assurance of the supply chain. Originally published in 2007 and comprehensively revised in 2022, ISO 28000 provides organisations of any size or sector with a management-system framework for identifying, assessing, treating and monitoring security risks that arise across their end-to-end supply chains — from raw-material sourcing and inbound logistics, through manufacturing and warehousing, to distribution, transport and final delivery.
The 2022 revision realigned ISO 28000 with the ISO Harmonised Structure (formerly Annex SL / High-Level Structure) that governs all modern ISO management-system standards such as ISO 9001, ISO 14001, ISO 22301 and ISO/IEC 27001. This means ISO 28000 now shares the same ten-clause architecture, common terminology and Plan-Do-Check-Act (PDCA) logic, making it far easier to integrate a supply-chain security management system with an organisation's existing quality, environmental, business-continuity or information-security systems. Security in ISO 28000 is deliberately broad: it embraces physical security, personnel security, information and cyber security, transportation and cargo security, threats from terrorism, smuggling, theft, sabotage, piracy, fraud, natural hazards and other malicious or accidental disruptions to the supply chain.
ISO 28000 is a certifiable standard. An organisation can seek third-party certification from an accredited certification body, or use the standard for self-declaration, first-party or second-party (customer) assessment. It sits at the heart of the ISO 28000 family (the '28000 series'), which includes guidance and sector-specific companion standards for maritime port facilities, resilience in the supply chain, and best-practice implementation. This guide provides an auditor-grade, clause-by-clause treatment of ISO 28000:2022 for both the assessor and the implementing security/CISO team.
What Is ISO 28000?
ISO 28000:2022 specifies the requirements for establishing, implementing, maintaining and continually improving a security management system (SMS) to enhance the security of supply chains. The word 'security' here refers to the resistance to intentional, unauthorised acts designed to cause harm or damage to, or by, the supply chain — supplemented by resilience against accidental and natural disruptions. The standard is generic and intended to be applicable to all organisations (or parts thereof), regardless of type, size or nature, that wish to establish, implement, maintain and improve an SMS; to assure conformity with a stated security-management policy; and to demonstrate that conformity to others.
Key characteristics of ISO 28000:2022:
- Risk-based: the SMS is driven by a documented security risk assessment and treatment process that considers threats, vulnerabilities, likelihood and consequence across the supply chain.
- Management-system based: it follows the ten-clause Harmonised Structure with the PDCA cycle, requiring policy, planning, support, operation, performance evaluation and improvement.
- Broad security scope: physical, personnel, procedural, information/cyber, transport and cargo, and environmental/natural-hazard dimensions of supply-chain security.
- Lifecycle across the supply chain: covers manufacturing, servicing, storage/warehousing, transport (road, rail, sea, air, pipeline), and the flow of goods, information, funds and people.
- Integrable and certifiable: designed to be aligned and integrated with ISO 9001, ISO 14001, ISO 22301, ISO/IEC 27001 and ISO 31000, and auditable by accredited certification bodies.
- Applicable to any tier: usable by a single logistics operator, a global manufacturer, a port operator, a freight forwarder, a 3PL/4PL provider or an entire multi-tier supply network.
ISO 28000 differs from prescriptive security regulations (such as the WCO SAFE Framework, C-TPAT or the ISPS Code) in that it does not mandate a fixed list of controls; instead it requires the organisation to determine appropriate controls based on its own risk assessment. It complements those schemes and can be used to operationalise their requirements within a single, auditable management system. The 2022 edition also strengthened leadership, context, planning-of-changes and operational-planning requirements relative to the 2007 edition.
Who Must Comply / Scope of Applicability
ISO 28000 is voluntary — no law compels adoption — but many organisations pursue it because customers, regulators, insurers or trading partners require demonstrable supply-chain security. It is most relevant to any entity that owns, operates within, or depends upon a supply chain where security failures would cause loss, injury, regulatory breach or reputational damage. The following table summarises the principal categories of organisation for which ISO 28000 is applicable and the typical drivers.
| Organisation type / sector | Why ISO 28000 applies | Typical driver |
|---|---|---|
| Manufacturers and producers | Protect inbound materials, in-process goods and finished-product flows from theft, tampering and counterfeiting | Customer/OEM contractual requirement; brand protection |
| Logistics, freight forwarders, 3PL/4PL | Secure cargo in transit and in storage across multiple modes and jurisdictions | AEO/C-TPAT alignment; carrier and shipper requirements |
| Ports, terminals and maritime operators | Protect port facilities, vessels and cargo (complements ISPS Code, ISO 28001/28004) | Regulatory and international trade security |
| Warehousing and distribution centres | Physical and inventory security; access control; personnel vetting | Insurance; loss prevention; retailer mandates |
| Air cargo and aviation supply chain | Secure air freight, known-consignor status, screening integrity | Civil aviation security regulation (e.g. RA3/ACC3) |
| Retailers and consumer-goods brands | End-to-end product integrity and anti-diversion | Consumer safety; anti-grey-market |
| Pharmaceutical and medical-device supply chains | Cold-chain and product-integrity security; serialization | GDP/GMP; anti-counterfeiting regulation |
| Critical-infrastructure and utilities suppliers | Protect supply of essential goods/services from sabotage and disruption | National resilience mandates |
| Government and defence procurement chains | Assurance of supplier security posture across tiers | Sovereign security and export-control requirements |
| Financial-value cargo (cash, bullion, high-value electronics) | High-theft-risk consignment protection | Insurer and CIT (cash-in-transit) requirements |
Scope of applicability within an organisation: ISO 28000 allows an organisation to define the boundaries and applicability of its SMS. The scope may cover the whole organisation, a single site, a business unit, a specific product line, a mode of transport, or a defined segment of the supply chain. The scope must be documented and must consider internal and external issues, interested parties, and the interfaces and dependencies with activities performed by other organisations (suppliers, sub-contractors, partners). Unlike ISO/IEC 27001, ISO 28000 does not carry an Annex A of mandatory candidate controls — the control set is derived entirely from the organisation's risk assessment, though ISO 28004 and ISO 28001 offer guidance on suitable controls.
Structure of ISO 28000:2022
ISO 28000:2022 follows the ISO Harmonised Structure of ten clauses. Clauses 1 to 3 are introductory (scope, normative references, terms and definitions) and contain no auditable requirements. Clauses 4 to 10 contain the requirements against which an organisation is assessed and certified. The table below maps the clause architecture and the principal requirement areas of each — this is the normative backbone of the SMS.
| Clause | Title | Principal requirement areas |
|---|---|---|
| 1 | Scope | Statement of applicability of the standard (informative) |
| 2 | Normative references | Referenced documents (informative) |
| 3 | Terms and definitions | Vocabulary, including supply chain, security, SMS (informative) |
| 4 | Context of the organisation | 4.1 Understanding the organisation and its context; 4.2 Needs and expectations of interested parties; 4.3 Determining the scope of the SMS; 4.4 SMS and its processes |
| 5 | Leadership | 5.1 Leadership and commitment; 5.2 Security policy; 5.3 Organisational roles, responsibilities and authorities |
| 6 | Planning | 6.1 Actions to address risks and opportunities (incl. 6.1.2 security risk assessment and 6.1.3 treatment); 6.2 Security objectives and planning to achieve them; 6.3 Planning of changes |
| 7 | Support | 7.1 Resources; 7.2 Competence; 7.3 Awareness; 7.4 Communication; 7.5 Documented information |
| 8 | Operation | 8.1 Operational planning and control; 8.2 Identification of processes and activities; 8.3 Risk assessment and treatment (operational); 8.4 Security controls and strategies; 8.5 Security plans; incident management / response |
| 9 | Performance evaluation | 9.1 Monitoring, measurement, analysis and evaluation; 9.2 Internal audit; 9.3 Management review |
| 10 | Improvement | 10.1 Continual improvement; 10.2 Nonconformity and corrective action |
In addition to the ten clauses, the ISO 28000 family provides supporting standards that assessors and implementers should be aware of. These are summarised below.
| Standard | Title / purpose | Relationship to ISO 28000 |
|---|---|---|
| ISO 28000:2022 | Security management systems — Requirements | The certifiable requirements standard (this guide) |
| ISO 28001:2007 | Best practices for implementing supply chain security | Guidance on security assessments and plans, medium-security supply chains |
| ISO 28003:2007 | Requirements for bodies providing audit and certification | Accreditation/certification-body requirements |
| ISO 28004 series | Guidelines for the implementation of ISO 28000 | Practical implementation guidance and control examples |
| ISO 22301 | Business continuity management systems | Complementary resilience management system; frequently integrated |
| ISO 31000 | Risk management — Guidelines | Underpins the risk-assessment methodology of Clause 6 |
Master Assessment Checklist
This is the core of the guide. Each auditable clause (4 to 10) and its sub-clauses are enumerated below with a dedicated table stating what the assessor must verify and the typical evidence to request. No requirement area is omitted. Findings should be graded as conformity, minor nonconformity, major nonconformity, or opportunity for improvement (OFI), consistent with ISO 28003 / ISO 19011 audit conventions.
Clause 4 — Context of the Organisation
| What to verify | Typical evidence |
|---|---|
| 4.1 The organisation has determined internal and external issues relevant to its purpose that affect the SMS and supply-chain security outcomes | Context analysis, PESTLE/SWOT, threat landscape assessment, environmental scan documentation |
| 4.2 Interested parties relevant to the SMS and their relevant requirements (legal, regulatory, contractual, customer) are identified and monitored | Stakeholder register, legal/regulatory register, customer security requirement matrix |
| 4.3 The scope of the SMS is determined and documented, considering context, interested parties and supply-chain interfaces/dependencies | Documented SMS scope statement; boundary/site list; interface and dependency map |
| 4.4 The SMS and its processes are established, implemented, maintained and continually improved with defined process interactions | SMS manual/description; process map; PDCA process definitions; process owners |
Clause 5 — Leadership
| What to verify | Typical evidence |
|---|---|
| 5.1 Top management demonstrates leadership and commitment: accountability, integration of the SMS into business processes, provision of resources, and promotion of continual improvement | Management-review minutes, resource-allocation records, leadership communications, budget approvals |
| 5.2 A documented security policy is established, appropriate to purpose, provides a framework for objectives, includes commitment to satisfy requirements and continual improvement, and is communicated | Signed security-management policy; distribution/communication records; intranet/notice postings |
| 5.3 Roles, responsibilities and authorities for the SMS are assigned, communicated and understood; a security manager/management representative is designated | Organisation chart; RACI matrix; security-manager appointment letter; job descriptions |
Clause 6 — Planning
| What to verify | Typical evidence |
|---|---|
| 6.1.1 Risks and opportunities arising from context and interested parties are determined and addressed to give assurance the SMS can achieve outcomes and prevent/reduce undesired effects | Risk-and-opportunity register; planning records; integration into SMS actions |
| 6.1.2 A documented security risk assessment process is defined and applied: identification of threats/hazards, vulnerabilities, likelihood and consequence across the supply chain | Risk-assessment methodology; threat/vulnerability register; risk criteria; risk assessment reports |
| 6.1.3 Security risk treatment: options selected, controls determined, residual risk evaluated and accepted by risk owners; a statement of applicability of chosen controls | Risk-treatment plan; control selection rationale; residual-risk acceptance sign-off; risk owner records |
| 6.2 Measurable security objectives are established at relevant functions/levels, consistent with the policy, monitored, communicated and updated; plans define what, who, resources, timing and evaluation | Security-objectives register; objective action plans; KPI targets; review records |
| 6.3 Changes to the SMS are planned in a controlled manner (purpose, consequences, integrity, resources, responsibilities) | Change-management procedure; change requests/logs; impact assessments |
Clause 7 — Support
| What to verify | Typical evidence |
|---|---|
| 7.1 Resources needed for the SMS (people, infrastructure, technology, finance) are determined and provided | Budget records; resource plans; equipment/technology inventory; staffing plans |
| 7.2 Competence of persons affecting security performance is determined, ensured (education, training, experience) and evaluated; actions taken to acquire competence | Competence matrix; training records; certifications; recruitment criteria; effectiveness evaluations |
| 7.3 Persons are aware of the security policy, their contribution to the SMS, and implications of nonconformity | Awareness-programme records; induction packs; toolbox talks; awareness quiz results |
| 7.4 Internal and external communication needs are determined (what, when, with whom, how, by whom) including with supply-chain partners and authorities | Communication plan/matrix; stakeholder communications log; escalation contact lists |
| 7.5 Documented information required by the standard and by the organisation is created, controlled (identification, format, review, approval, version, access, retention, disposition) | Document control procedure; master document list; version history; access controls; retention schedule |
Clause 8 — Operation
| What to verify | Typical evidence |
|---|---|
| 8.1 Operational processes needed to meet requirements and implement Clause 6 actions are planned, implemented and controlled, with criteria and control of outsourced processes | Operational procedures; control criteria; outsourced-process control agreements; SLAs |
| 8.2 Security-relevant processes and activities across the supply chain are identified, including physical, personnel, information, transport and cargo security touchpoints | Process inventory; supply-chain flow/asset maps; site security surveys |
| 8.3 Operational-level security risk assessment and treatment is performed and kept current for actual operations and changes | Operational risk assessments; site-specific risk registers; reassessment triggers |
| 8.4 Security controls and strategies (physical access, surveillance/CCTV, screening, seals/locks, vetting, cyber controls, cargo integrity, supplier controls) are selected and operating | Control-implementation records; access logs; CCTV/alarm records; seal logs; supplier security clauses |
| 8.5 Security plans are documented, implemented and maintained for normal, elevated-threat and incident conditions; response and recovery procedures are defined and exercised | Security plans; emergency/incident response plans; exercise/drill reports; recovery procedures |
Clause 9 — Performance Evaluation
| What to verify | Typical evidence |
|---|---|
| 9.1 What is monitored/measured, the methods, and when analysis/evaluation occurs are defined; security performance and SMS effectiveness are evaluated with retained evidence | Monitoring plan; KPI dashboards; measurement records; analysis reports |
| 9.2 A planned internal audit programme evaluates conformity to the standard and to the organisation's requirements and effective implementation; auditor objectivity ensured; results reported | Audit programme/schedule; audit plans; auditor competence/independence records; audit reports; NC log |
| 9.3 Top management reviews the SMS at planned intervals covering status of actions, changes, performance, audit results, nonconformities, risk changes, opportunities for improvement | Management-review agenda and minutes; input packs; decisions/action items; resource decisions |
Clause 10 — Improvement
| What to verify | Typical evidence |
|---|---|
| 10.1 The organisation continually improves the suitability, adequacy and effectiveness of the SMS | Improvement register; trend analysis; before/after performance data |
| 10.2 Nonconformities are reacted to, controlled and corrected; root cause is determined; corrective actions are implemented and their effectiveness reviewed; documented | Nonconformity/corrective-action reports (CAPA); root-cause analyses; effectiveness verification records |
Supply-Chain Security Control Domains (Operational Verification)
Because Clause 8 requires the organisation to derive its own controls, the assessor must verify the actual security controls in operation. ISO 28004 and ISO 28001 group these into functional domains. The following table enumerates the operational control domains that a competent SMS should cover.
| What to verify | Typical evidence |
|---|---|
| Physical and facility security: perimeter, access control, intrusion detection, CCTV, lighting, secure storage of high-value/high-risk goods | Site security plans; access-control system logs; CCTV coverage maps; alarm test records |
| Personnel security: pre-employment screening/vetting, background checks, contractor/visitor management, insider-threat controls | Vetting policy; background-check records; visitor logs; contractor security agreements |
| Information and cyber security: protection of shipment data, EDI/manifests, systems integrity (integration with ISO/IEC 27001) | Access-control lists; encryption evidence; ISMS interface; data-classification records |
| Cargo and conveyance security: container/trailer inspection (7-point/17-point), high-security seals (ISO 17712), load integrity, tracking/telematics | Seal registers; inspection checklists; GPS/telematics reports; tamper-evidence records |
| Transport and route security: route risk assessment, secure parking, driver protocols, escort/convoy for high-risk cargo | Route risk assessments; transport security procedures; driver briefings; incident maps |
| Business-partner / supplier security: supplier security requirements, assessment/audit of partners, contractual security clauses | Supplier security questionnaires; audit reports; contract security annexes; approved-vendor list |
| Procedural security: documentation control, manifesting accuracy, chain-of-custody, reconciliation, anti-diversion | Manifesting procedures; chain-of-custody records; reconciliation reports; discrepancy logs |
| Incident, threat and crisis management: threat-level escalation, security incident reporting, investigation, liaison with authorities | Incident log; escalation matrix; investigation reports; law-enforcement liaison records |
Scoping and Materiality / Tiering
Defining an appropriate SMS scope and prioritising effort by materiality is essential to a cost-effective and auditable implementation. ISO 28000 does not prescribe a tiering model, but assessors expect the organisation to demonstrate a rational, risk-based approach to what is in scope and where controls are concentrated.
- Boundary definition: fix the organisational, geographic and supply-chain boundaries of the SMS (which sites, entities, modes and segments are covered), and record explicit exclusions with justification.
- Criticality/materiality assessment: rank supply-chain nodes and flows by value at risk, threat exposure, consequence of disruption, and regulatory/contractual sensitivity.
- Tiering of suppliers and nodes: classify partners into tiers (e.g. Tier 1 direct/critical, Tier 2 significant, Tier 3 low-impact) and apply proportionate security requirements and assurance depth.
- Threat-level tiering: define graded security postures (normal / elevated / high / severe) and pre-agreed control uplifts for each, aligned with national threat advisories.
- High-value / high-risk cargo designation: identify goods requiring enhanced controls (theft-attractive, hazardous, controlled, or safety-critical) and apply stricter chain-of-custody.
- Interface and dependency treatment: where activities are outsourced, define the type and extent of control retained and the assurance obtained over the outsourced party.
| Materiality tier | Definition | Control and assurance expectation |
|---|---|---|
| Tier 1 — Critical | Nodes/partners whose failure causes major loss, safety, regulatory or continuity impact | Full control set; direct audit; continuous monitoring; contractual security obligations |
| Tier 2 — Significant | Meaningful value or exposure but with mitigations/alternatives available | Core controls; periodic assessment; questionnaire plus targeted audit |
| Tier 3 — Standard | Routine, low-value or easily substitutable nodes | Baseline controls; self-assessment/questionnaire; sampling |
| Excluded (justified) | Out-of-scope activities with documented rationale | No SMS controls; documented exclusion and periodic re-validation |
Implementation Approach
A phased implementation aligned to the PDCA cycle allows an organisation to build the SMS in a controlled, evidence-generating manner. The following phases (with activities and deliverables) reflect a typical 9–12 month implementation to certification readiness.
Phase 1 — Initiate and Establish Context (Plan)
- Activities: secure top-management sponsorship; define provisional scope; perform context (Clause 4.1) and interested-party (4.2) analysis; establish legal/regulatory/contractual register; appoint the security manager and project team.
- Deliverables: project charter; SMS scope statement; context analysis; stakeholder and legal registers; governance/RACI.
Phase 2 — Risk Assessment and Treatment Planning (Plan)
- Activities: adopt a risk methodology (aligned to ISO 31000); map supply-chain flows and assets; identify threats, vulnerabilities and consequences; assess and evaluate risks; select treatment options and controls; obtain risk-owner acceptance of residual risk.
- Deliverables: risk-assessment methodology; threat/vulnerability and risk registers; risk-treatment plan; statement of applicable controls; residual-risk acceptance.
Phase 3 — Design the SMS and Documentation (Plan)
- Activities: draft security policy and objectives; define processes and procedures; design document-control and record-keeping; define competence, awareness and communication plans; design monitoring and measurement.
- Deliverables: security policy; objectives register; SMS manual and procedures; document-control procedure; competence and communication plans; KPI framework.
Phase 4 — Implement Controls and Operate (Do)
- Activities: deploy physical, personnel, information, cargo, transport, procedural and partner controls; implement security plans for normal/elevated/incident states; roll out training and awareness; onboard supplier security requirements.
- Deliverables: implemented controls with operating records; security plans; incident-response procedures; training records; supplier security agreements.
Phase 5 — Monitor, Audit and Review (Check)
- Activities: collect KPIs and monitoring data; conduct security exercises/drills; run the internal audit programme; hold management review; log and act on nonconformities.
- Deliverables: monitoring/KPI records; exercise reports; internal audit reports; management-review minutes; nonconformity/corrective-action log.
Phase 6 — Improve and Certify (Act)
- Activities: close corrective actions; conduct pre-assessment/gap review; select an accredited certification body; complete Stage 1 (documentation) and Stage 2 (implementation) audits; establish continual-improvement cadence.
- Deliverables: closed CAPAs; certification-readiness report; Stage 1/Stage 2 audit outcomes; certificate of registration; surveillance-audit plan.
Maturity / Capability Model
While ISO 28000 certification is pass/fail against the requirements, organisations benefit from tracking capability maturity to prioritise investment and demonstrate continual improvement. The following five-level model (adapted from common CMMI-style scales) can be applied to each clause area and control domain.
| Level | Name | Characteristics |
|---|---|---|
| 1 | Initial / Ad hoc | Security handled reactively; no documented SMS; controls inconsistent; reliant on individuals |
| 2 | Developing / Repeatable | Basic policy and procedures exist for key areas; risk assessment partial; documentation incomplete |
| 3 | Defined | SMS documented and aligned to ISO 28000 clauses; risk-based controls implemented across scope; roles defined |
| 4 | Managed / Measured | Performance monitored via KPIs; internal audits and management reviews operating; data-driven decisions |
| 5 | Optimising | Continual improvement embedded; predictive risk management; integrated with other management systems; benchmarked |
Assessment and Audit Approach
An ISO 28000 audit (whether internal, certification Stage 1/2, or surveillance) should be conducted per ISO 19011 (auditing guidelines) and, for certification bodies, ISO 28003 / ISO/IEC 17021-1. The recommended sequence is set out below.
- Define audit objectives, scope and criteria (ISO 28000:2022 plus the organisation's own SMS documentation and applicable legal/contractual requirements).
- Conduct a Stage 1 / documentation review: assess context, scope, policy, risk assessment, risk-treatment plan and readiness for Stage 2.
- Plan the Stage 2 / implementation audit: prepare the audit plan, allocate competent auditors, and schedule site and process sampling.
- Perform an opening meeting to confirm scope, logistics, confidentiality and reporting arrangements with the auditee.
- Gather evidence through interviews, document/record review, direct observation of controls, and sampling across sites, modes and supply-chain nodes.
- Test operating effectiveness of controls (e.g. access control, seal integrity, screening, incident response) and trace samples end-to-end through chain-of-custody.
- Evaluate findings against each clause; classify as conformity, minor NC, major NC or OFI, with objective evidence recorded for each.
- Hold a closing meeting to present findings, agree the significance of nonconformities and confirm the corrective-action timeline.
- Issue the audit report; the auditee performs root-cause analysis and submits a corrective-action plan for major/minor nonconformities.
- Verify corrective-action effectiveness (evidence review or follow-up visit); recommend certification/continuation; schedule surveillance audits and the three-year recertification.
Evidence Request List
The assessor should request the following documented information and records, organised by category. This list supports both a readiness (gap) assessment and a formal certification audit.
- Context and scope: context analysis; interested-party register; SMS scope statement; supply-chain flow and asset maps; interface/dependency register.
- Leadership and policy: signed security policy; leadership commitment evidence; organisational chart; RACI; security-manager appointment.
- Legal and compliance: legal/regulatory register; customer/contractual security requirements; permits/licences; export-control records.
- Risk management: risk-assessment methodology; threat/vulnerability and risk registers; risk-treatment plan; statement of applicable controls; residual-risk acceptance.
- Objectives and planning: security-objectives register and action plans; change-management records; KPI targets.
- Support: resource/budget records; competence matrix and training records; awareness-programme evidence; communication plan; document-control procedure and master list.
- Operation — physical: site security plans; access-control and CCTV/alarm records; secure-storage arrangements.
- Operation — personnel: vetting/background-check policy and records; visitor and contractor logs; insider-threat controls.
- Operation — cargo/transport: seal registers (ISO 17712); container/trailer inspection checklists; telematics/GPS logs; route risk assessments; driver procedures.
- Operation — information/cyber: data-classification; access controls; ISMS interface (ISO/IEC 27001); shipment-data protection evidence.
- Operation — partners: supplier security questionnaires; partner audit reports; contract security annexes; approved-vendor list.
- Security plans and incidents: normal/elevated/incident security plans; incident/investigation reports; drill/exercise reports; law-enforcement liaison records.
- Performance and improvement: monitoring/KPI dashboards; internal audit programme and reports; management-review minutes; nonconformity/CAPA log; continual-improvement register.
Roles and Responsibilities
| Role | Key responsibilities | SMS clause linkage |
|---|---|---|
| Top management / board | Overall accountability; approve policy and resources; conduct management review; embed SMS into business | Clause 5.1, 9.3 |
| Security manager / SMS representative | Establish, maintain and report on the SMS; coordinate risk assessment, audits and improvement | Clause 5.3, 6, 9 |
| Risk owners | Accept and manage residual security risks in their areas; approve treatments | Clause 6.1.3 |
| Site / facility security officers | Implement and operate physical, personnel and procedural controls on site | Clause 8.4, 8.5 |
| Logistics / transport managers | Ensure cargo, conveyance and route security controls in transit | Clause 8.2–8.5 |
| Procurement / supplier management | Impose and assure supplier security requirements; manage partner audits | Clause 8.1, 8.4 |
| IT / information security (CISO) | Protect shipment and SMS information; integrate with ISO/IEC 27001 | Clause 8.4, 7.5 |
| HR | Personnel screening, competence, awareness and training administration | Clause 7.2, 7.3, 8.4 |
| Internal audit | Independently audit SMS conformity and effectiveness; report to management | Clause 9.2 |
| All employees and contractors | Follow security procedures; report incidents and vulnerabilities | Clause 7.3, 10.2 |
KPIs / Metrics to Track
- Number and severity of security incidents (theft, tampering, breach, unauthorised access) per period and per node.
- Cargo loss/shrinkage rate and value at risk versus target.
- Seal integrity failure rate and container/trailer inspection discrepancy rate.
- Percentage of high-risk suppliers assessed/audited on schedule and their remediation closure rate.
- Access-control violation and tailgating incident counts; CCTV/alarm availability uptime.
- Personnel vetting completion rate before deployment; training and awareness completion rate.
- Mean time to detect and mean time to respond to security incidents.
- Percentage of identified risks with treatment implemented and residual risk accepted.
- Internal audit findings by clause, and corrective-action on-time closure rate.
- Number of security drills/exercises conducted and issues identified/closed.
- Chain-of-custody reconciliation exception rate and anti-diversion detection count.
- Percentage of security objectives achieved per review cycle.
Readiness Checklist
- Top-management sponsorship secured and security policy approved and communicated.
- SMS scope documented with boundaries, exclusions and supply-chain interfaces defined.
- Context, interested-party and legal/regulatory registers completed and maintained.
- Documented security risk-assessment methodology adopted and applied across scope.
- Risk register, risk-treatment plan and statement of applicable controls in place with residual risk accepted.
- Security manager and roles/authorities assigned and communicated (RACI).
- Measurable security objectives set with action plans and KPI targets.
- Physical, personnel, information, cargo, transport, procedural and partner controls implemented with records.
- Security plans for normal, elevated and incident conditions documented and exercised.
- Competence matrix, training and awareness programmes delivered with records.
- Communication and document-control procedures operating with version control.
- Monitoring/KPI framework producing evidence; internal audit programme completed at least once.
- Management review held with inputs, decisions and actions recorded.
- Nonconformity and corrective-action process functioning with root-cause analysis.
- Pre-assessment/gap review completed and material gaps closed prior to certification audit.
Common Gaps and Findings
- Scope defined too narrowly or vaguely, excluding critical supply-chain interfaces or outsourced activities without justification.
- Risk assessment is generic and not specific to actual supply-chain threats, nodes and modes; no link between risks and selected controls.
- No statement of applicable controls or residual-risk acceptance signed by identified risk owners.
- Security objectives absent or not measurable; no plans defining what, who, when and how evaluated.
- Supplier/business-partner security not assessed or contractually imposed; multi-tier exposure ignored.
- Weak personnel security: incomplete vetting, poor visitor/contractor control, no insider-threat consideration.
- Cargo controls not evidenced: missing seal registers (ISO 17712), no inspection checklists, unverified telematics.
- Information/cyber security of shipment data not integrated with the ISMS or overlooked entirely.
- Security plans for elevated-threat and incident conditions missing or never exercised/drilled.
- Internal audits not covering all clauses/sites, or auditors lacking independence/competence.
- Management review held infrequently or without required inputs, decisions and follow-up actions.
- Corrective actions treat symptoms without root-cause analysis; effectiveness never verified.
- Documented information poorly controlled: obsolete versions in use, no retention/access controls.
- Awareness gaps: staff cannot articulate the policy or their role in the SMS.
ISO 28000 Mapped to Other Frameworks
ISO 28000 shares the Harmonised Structure with other ISO management-system standards, enabling integrated audits and shared documentation. It also complements customs, aviation and cyber supply-chain regimes. The table below maps key ISO 28000 areas to related frameworks.
| ISO 28000 area | Related framework / control | Mapping notes |
|---|---|---|
| Full SMS (Clauses 4–10) | ISO 22301 (BCMS) | Shared Harmonised Structure; security + continuity commonly integrated |
| Information/cyber security controls (8.4) | ISO/IEC 27001 Annex A / ISO 27036 | SMS shipment-data protection integrates with ISMS supplier-security controls |
| Risk assessment and treatment (6.1) | ISO 31000 | ISO 31000 provides the underpinning risk-management principles and process |
| Cargo and customs security | WCO SAFE Framework / AEO | ISO 28000 operationalises AEO/Authorised Economic Operator security criteria |
| US import supply-chain security | C-TPAT (CTPAT) minimum security criteria | Strong overlap on physical, personnel, cargo and partner security; supports mutual recognition |
| Maritime and port facility security | ISPS Code / ISO 28001 / ISO 28004 | ISO 28000 provides the management system around ISPS operational requirements |
| Cyber supply-chain risk | NIST SP 800-161 / SP 800-53 SR family | Complementary supplier-risk controls for the information dimension of the supply chain |
| Quality and process control | ISO 9001 | Common clause structure enables integrated QMS/SMS management |
| Environmental and safety | ISO 14001 / ISO 45001 | Shared structure supports an integrated management system (IMS) |
Frequently asked questions
Need help with ISO 28000?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
